1. Field of the Invention
The present invention relates to securing user domain access in a computer network. More particularly, the present invention relates to forcing a network computer user to terminate all then existing domain connections before proceeding with a connection to a secured domain requiring sequential only access.
2. The Background
A significant concern of the individual private and public domains making up the Internet or any other system incorporating multiple networks is the ability to insure that only those users who are authorized to access the individual private and public domains within the comprehensive network have the capability to access such networks. Serious security risks are posed by the possibility of unauthorized users having the know-how and capability to invade the individual private and public domains within the network.
In today's networking environment, many privately owned domain sites exist on the Internet which allow access only to those individuals which have been granted the proper authorization. For example, these may include company owned private domains containing confidential information and, as such, the company may grant access only to those employed by the company, or they may be communities of interest (i.e. "pay-sites") which provide information only to those users which subscribe to the privately owned domain. The user who connects to the Internet, typically by means of an Internet Service Provider (ISP) or Telephone Company (Telco), may also possess the capability to make numerous concurrent connections to these privately owned and "secure" domain sites. While these simultaneous connections add to user efficiency, they do so at the cost of heightening the potential for security violations.
Additionally, it is becoming increasingly more prevalent for individual computer users to have the capability to remotely access privately owned intra networks. This type of access allows the user to connect with the private intra network of the company from the user's residence by means of the telephone line or other convenient means. The inception of wireless remote connections have even made it possible for users to connect from almost any imaginable locale. The ability to connect remotely to individual private intra networks, once seen as a luxury, has become so commonplace that many working professionals require such access in order to accomplish their everyday job assignments. In many instances, remote users connect to privately owned intra networks through the same means that individuals connect to the Internet, typically Telcos or ISPs. This allows the remote user to concurrently connect with any number of authorized private intra networks, as well as the various public and private domains of the Internet. While these simultaneous connections are efficient to the user, they also pose the potential for serious security violations.
FIG. 1 shows a simplified diagram of a computer user connected to a computer network 10 via a host computer 12 linked to an access point 14 which grants authorization to external networks or domains 16, 18 and 20. The potential for a network security violation is posed by the user having the required authorization and capability through the access point 14 to connect with the various domains 16, 18 and 20 simultaneously. The user has access to the computer networks through a work station or host computer 12. The host computer 12 has the capability to connect with the external networks through an access point 14. An access point 14 is essentially an external location capable of permitting authorized users to access external computer networks, typically the access point consists of a series of Network Access Servers (NASs) and other related hardware, software and/or firmware. An access point 14 may also include a modem pool (not shown) maintained by a Telephone Company (Telco) or an Internet Service Provider (ISP) which enables its authorized users or subscribers to obtain external network access through the host computer 12 which has the required dial-up connection capability. Those of ordinary skill in the art will recognize that other types of access methods may be provided by a Telcos or ISP such as frame relay, leased lines, ATM (Asynchronous Transfer Mode), ADSL (Asymmetric Digital Subscriber Line) and the like.
Typically, when the user desires to access a specified domain, such as the first privately owned secured domain site 16 the user runs a network logon application program on the host computer 12 which requires the user to input user identification and authorization information as a means of initiating access to the desired network. This information is then directed to the access point 14 where it is verified to insure that the host user has the required authorization to permit access to the desired network. Once authorization is granted to the user a connection is established via the access point 14 with the home gate 22 of the specified first privately owned secure domain site 16. The connection established may be a tunnel-based connections, such as L2TP (Layer Two Tunneling Protocol) or L2F (Layer Two Forwarding) or an IP-based (Internet Protocol) connection, such as used with ATM or frame relay. The user of the host computer 12, having established such a connection, has the ongoing capability to access the specified domain until the connection is terminated either at the directive of the user or by error in data transmission. The access point 14 will typically have the capability to connect the user to various other privately owned secured domain sites, such as the second private domain site 18 or the public Internet 20. This key function of the access point 14 allows the host computer 12 to access other privately owned secured domain sites, private intra networks or the public domains of the Internet concurrently while the initial connection to the first specified private domain site 16 connection remains open. However, while simultaneous dual usage of specified domains can be a useful advantage in terms of data transfer and efficiency, it can also open up unlimited possibilities for potential security violations.
For example, FIG. 2 illustrates the scenario which may present itself where the computer user is a consultant employed by two competing companies; company X the owner of a first privately owned secured domain site 30 and company Y the owner of a second privately owned secured domain site 32. The consultant, as a means of carrying out his services, has been granted authorized remote access to both privately owned secured domain sites 30, 32. The consultant/user's host computer 34 remotely connects to these two privately owned secured domain sites 30, 32 through an access point 36, typically an ISP or Telco. The consultant/user thereby has the capability to access the two privately owned secured domain sites concurrently. The consultant/user first initiates a log-on session through an application program to gain authorized access to Company X's privately owned secured domain site 30. The authorization data, typically a user name and password, is then transmitted to the access point 36 where it is verified for authorization. Once authorization has taken place, an L2TP tunnel 38 is created between the access point 36 and the home gate 40 of Company X's privately owned secured domain site 30. While the tunnel connection to Company X's privately owned secured domain site 30 remains open, the consultant/user may have the desire to open a connection to Company Y's privately owned secured domain site 32. This connection is initiated in the same fashion as the first connection, an application program allows for log-on, authorization data is transmitted and verified at the access point 36 and an L2TP tunnel 42 connection is created between the access point 36 and the home gate 44 of Company Y's privately owned secured domain site 32.
It is in the instance, where the consultant/user has connections open concurrently with both the Company X's privately owned secured domain site 30 and Company Y's privately owned secured domain site 32 that the potential exists for an internal user of either the Company X's or Company Y's privately owned secured domain site to gain unauthorized access to the competitor's privately owned secured site. For example, an authorized user/host 46 of Company X's privately owned secured domain site 30 who has knowledge of the telnet protocol would be able to readily access the remote host computer 34 of the consultant/user. Once the remote host computer 34 of the consultant/user is accessed, then the authorized user/host 46 of Company X's privately owned secured domain site would be able to gain unauthorized access to Company Y's privately owned secured domain site 32 through the then-existing L2TP tunnel 38 created by the consultant/user if the unauthorized user possessed limited knowledge related to the consultant/user's host computer 34 and the IP (internet protocol) address of the consultant/user. With this same methodology, the opposite scenario presents itself, an authorized user/host 48 of Company Y's privately owned secured domain site 32 can potentially gain unauthorized access to Company Z's privately owned secured domain site. This type of security risk is unquestionably present today and poses a serious threat to the confidential information that businesses maintain on both privately owned and secured domain sites and private intra networks which are remotely accessible.
Additionally, a security risk is posed by the user/host who has multiple connections to various networks/domains and one of the then-existing open connections is maintained with the public Internet. In this scenario, all the simultaneous users of the Internet present themselves as possible security risks. Any one of the millions of then connected Internet users who possess the minimum remote user/host data; typically, the telnet protocol, the user/host hardware specifications and the user/host IP address, would have the potential to pierce the L2TP or L2F tunnel connection created by the authorized user and gain unauthorized access to the privately owned secured domain site.
Furthermore, the IP forwarding capabilities of certain operating systems, such as Windows NT, a product of Microsoft Corporation of Redmond, Wash. allow the redirection of IP packets among various TCP/IP connections without desired levels of security. While these types of operating systems are beneficial for their desired IP forwarding attributes, they fail to offer the owner of private domain sites the security necessary to insure that the confidential information found on their domain site is limited to authorized users.
The currently available solutions to this problem are very limited and do not offer the level of security protection that most companies operating secured and confidential private intra networks demand. Typically, in today's networking environment most companies operating privately owned secured domain sites or private remotely accessible intra networks are limited to operator/user dependant verbal or written instructions as to how to avoid the potential for security violations. This effectively means that owners of such domains or networks can do little more than warn the remote users of the security risk posed by multiple access and instruct the users not to access their particular domain or network while other connections remain open. This type of user-dependant security measure has, understandably, met with little success and the security risks which remain are pervasive and potentially devastating.
In other instances, companies have been able to minimize the risk by setting up internal access points which effectively cause the user/host to dial-in or connect directly with the private intra network without going through an external ISP or Telco. While this direct-connect service allows some measure of security it does so at the expense of increasing the costs associated with maintaining an internal access point and the additional connection costs related to remote users having to potentially incur long distance telephone service charges. Additionally, even direct connect service is not without security risks. In today's networking environment it is not uncommon for the host/user to have the capability for dual line external connections, posing the possibility of a user being connected through a first line to the direct connect private intra network while concurrently being connected via the second line to the Internet through an ISP or Telco access point. In this instance, the same security risks as described above are apparent and, thus, the direct-connect service provides inadequate security precautions for this instance, as well.